Cross posting this from our commercial mailing list as it likely affects open source users.
On April 14th Microsoft published Security Bulletin MS15-034, describing a vulnerability in http.sys which could potentially lead to remote code execution in the context of the System account via a specially crafted HTTP request. This vulnerability affects all supported versions of Windows.
Event Store uses http.sys when running on Windows. Consequently it is advised that all users apply the patches described in MS15-034.
The security bulletin is available at https://technet.microsoft.com/library/security/ms15-034#KBArticle - it describes which Security Update packages must be applied to each supported version of Windows to mititage this risk.